1. Field of the Invention
The present invention relates generally to the fields of financial transactions, security and methods for purchasing goods and services, and a framework thereof. More particularly, the present invention relates to a computer-implemented system, methods and processes, and a framework enabling consumers to purchase goods and services, primarily at the locations where the goods and services are offered, more securely, faster and more efficiently than current methods.
2. Description of the Related Art
To date, E-commerce (electronic commerce) for consumers (or business-to-consumer, B2C, transactions) is essentially a personal computer-mediated process. The typical consumer that wants to purchase a good or service though an e-commerce transaction (“buying on the web”) has to go through the following steps:
Buy or own a personal computer (PC);
Be physically present at the computer;
Have network access;
Turn on the computer;
Log on to the computer and/or to the network;
Open a web browser;
Identify, find and visit the particular website that offers the good or service of interest;
Find the correct item or service on that website and then add it to a “shopping cart”;
Provide the identity information, which might include signing up or creating an account for doing transactions in the particular website;
Enter payment and shipping information (typically a credit card);
Receive a proof of purchase for her records; and
Wait for the goods to be physically shipped.
Assuming the existence of a PC and a network connection, the remainder of the process typically requires 15-20 minutes for an experienced user. The current means and methods for consumer e-commerce transactions are expensive in terms of both money and time, complex, require proximity to a computer terminal, and are only available to a small percentage of consumers with the appropriate levels of experience and technological comfort.
Further, consumer e-commerce is basically a mail order system that replicates the “bricks and mortar” presence of a business in the virtual world and does not take advantage of merchants' “bricks and mortar” infrastructure and investment. The current system is particularly vulnerable to fraud since the vast majority of purchases on the web are CNP (Card Not Present) transactions meaning that there is no identity confirmation for these transactions, resulting in fraud costs that are primarily incurred by the merchants.
Participating in e-commerce requires a computer-literate end-user and substantial hardware. PC penetration is still very low, especially beyond the “first world” and it is unlikely that a computer-literate user and the “a PC at every household in the world” vision will happen in the next few years. A PC is a general purpose device that can be used for many different tasks, including the task of conducting e-commerce transactions. On the software side, a web browser, the universal client for electronic commerce, is not special purpose software but a client for accessing all kinds of web-based services.
Although mobile phones and PDA's can be also used for e-commerce, both follow the same paradigm, essentially bringing the browsing experience to a different device. But the essential elements of the paradigm remain, namely e-commerce is one of the multitudes of functions that can be accessed through a web browser (a universal user interface to the web) and a certain degree of computer literacy is still required, along with a considerable personal financial investment for such a client device.
In addition, various other devices including cell phones and personal digital assistants (PDAs) provide e-commerce capabilities.
Cell phones are intended for voice communication and despite the enormous success of data messaging (e.g., SMS messaging) attempts to broaden their usage by promoting them as web-browsing clients have failed. Additionally, the slow deployment and adoption of 2.5 G and 3 G equipment and services creates an uncertainty about the future of diversifying the usage of a mobile phone. Still, the penetration rate of mobile phones is very high.
PDA's on the other hand, have a low penetration rate and are relatively complex for use by the average person; they remain pretty much the domain of technically savvy users who carry a variety of similar gadgets. Also, their primary function is that of a personal organizer. Even though they have evolved to become very small factor personal computers, the limitations of keyboard and screen size make them inadequate at that. Special protocols such as WAP have been developed to overcome some of these types of limitations, but it has not been widely adopted, and this is not the appropriate delivery mechanism for many consumer services.
Another pager/e-mail client device of interest is the BLACKBERRY RIM device and devices similar to it. The evolution of BLACKBERRY device is from a pager/e-mail client device towards a full blown PDA. A BLACKBERRY device is much like a PDA with anywhere wireless connectivity, as opposed to connectivity to location-specific service spots.
Smartcards are being deployed as a replacement for traditional credit cards. The deployment includes new smartcard readers that will replace the traditional credit card transaction terminals. Each bank that issues a credit card will issue it's own smartcard, so there is going to be a one to one replacement for existing credit cards. New smartcards will provide all the functions of existing credit cards but will also be used as identity cards so that for example one could log into a corporate network through a machine that is equipped with a smartcard reader. Also, smartcards are intended to be used as digital wallets so a user could “load” digital money (Mondex (mondex.com)) into the smartcard.
Smartcards have complex mechanisms that are used to improve security and protect the operations concerning digital money. But, it is unclear how smartcards are more secure than current credit cards. Of course they will be more resistant to counterfeiting but if stolen they can be used by another person; since most of the time a PIN is not required for using the card (e.g., for shopping at a store) and, if a PIN is required, knowledge of the PIN would suffice to use the card. Because a user carries many cards and it would be impractical to remember the PIN for each of them, a PIN is not required when using the card for purchases. A smartcard can store other data, so for example one could use a more advanced identification method in conjunction with a smartcard reader attached to a terminal, e.g., insertion of the smartcard to a terminal invokes a biometric-based authentication application that runs on the terminal (not on the device).
Related art includes devices for financial transactions (e.g., credit cards, smartcards, etc.), wireless devices that can be used for financial transactions (e.g., mobile phones, PDA's etc.), methods for the transactions, security frameworks and protocols, purchasing methods and workflows and Point of Sale systems.
The following discusses related art involving wireless devices and purchasing.
Wireless POS (Point of Sale) Extensions
These are systems that effectively extend the cash register (POS). A store employee operates a small terminal that can transmit wirelessly to a base station at a store; the wireless terminal is a credit card reader, so that a consumer can check out (pay) at any location in a store, where the store employee happens to be. These systems have been criticized for being vulnerable to the security problems of the WEP protocol, which is used to provide a secure network connection between the wireless terminal and the base station terminal or POS.
Wireless Payment Processing
The systems essentially replace the merchant's regular phone line with a wireless link for the purpose of connecting to the financial institution that implements the transaction processing. Systems of this category are regular POS terminals that accepts credit cards (for swiping), like any other POS, but instead of using a regular land-line to connect to the processor of the merchant for authorizing the transaction, the use a wireless mobile phone connection for that purpose. Although this category by itself is not of such great interest, it is often combined with systems and innovations of some of the other discussed types, in order to provide a new kind of POS which is more portable and adaptable.
B2C (Business to Consumer) Transactions Using a Mobile Device
These are solutions that differ from desktop-based web browsing and shopping (B2C commerce) only in that the hardware client used is a mobile device. A PDA or a mobile phone that has wireless web access is used as a personal computer (similarly to any wired, or wireless, networked desktop or laptop with web access. Such solutions do not substantially differ from conducting e-commerce through a web-browser that accesses the general internet. What is important to note about these systems, is that when they are used for shopping the whole consumer experience and the associated steps and workflows do not differ from desktop-based shopping, Moreover, at the technical level, these systems use the same technologies used for desktop and laptops (for the purposes or shopping), or they rely on the stack of WAP-related protocols. The consumer has to enter payment information as she would in order to pay for something at any other e-commerce site on the web. Systems of this type are differentiated from systems that use mobile phones (described next) but require different workflows and infrastructure, even though the latter often use the WAP-related stack of protocols, because they attempt to speed-up and facilitate the submission of payment information by the user.
Mobile Phone-Based Shopping
A variety of systems use mobile phones for conducting purchases at physical POS (merchants) and virtual POS (on the web). These systems use the mobile carrier's network to carry the transaction.
Single Chip Mobile Phone
The customer uses a WAP-enabled mobile phone to make purchases from a participating merchant. The user experience is similar to browsing. Technically, the solution relies on the WAP (Wireless Application Protocol) stack of protocols, including WTLS (Wireless Transport Layer Security), which is similar to SSL (Secure Socket Layer) in intent. Such solutions employ a server-side wallet, which is typically provided by a participating banking institution. When accessing the merchant's virtual store, the user connects to the hosted virtual store (even though she might by physically in the physical store) and interacts with the virtual store in order to accomplish the purchase. This disconnect between physical and virtual store, requires some additional steps in the transaction workflow for making payment or for identifying the store to the user's device for the purposes of browsing (on the device) to the right place (URL and webpage). One of the goals of this approach is to involve all three major principals in the implemented system. The mobile phone manufacturer provides the WAP-enabled phone, the mobile carrier provided the value-add service to the user of using the mobile phone for purchases (also providing the hosted infrastructure and the server-side wallet) and the banking institution is the physical owner and processor of the server-side wallet related transactions. It is important to note that even if the merchant's server (the implementation of the merchant's virtual store) is located at (and perhaps operated by) the merchant's physical location, the transaction is carried by the mobile network.
Dual-Chip Mobile Phone
This category describes systems similar to the previous one but these mobile phones include a second chip (alongside the SIM card), the WIM (Wireless Identity Module) which can read a plug-in WIM chip. The WIM module (with the inserted WIM chip) is essentially a wallet embedded on the client device (the mobile phone) and provides a single banking account associated with the mobile phone. This approach does not require a server-side wallet, but the remainder of the user transaction and interactions are the same as with single chip mobile phone systems. Dual-chip mobile phones are associated with the technological choice of separating SIM and WIM chip cards and the resulting business model of bank/carrier collaboration, i.e., keeping separate the payment function (via the WIM card controlled by the bank) and the network function (via the SIM card controlled by the network operator).
Dual-Slot Mobile Phone
Such a system requires a phone that is equipped with a chip and slot for reading a smartcard (or even magnetic strip) based bankcard. The user inserts the card on the phone to authorize transactions using the PIN of the specific card. Such systems use protocols and technologies of mobile phones. The user of course needs to carry the actual credit cards. These systems do not require a server-side wallet in the typical sense. The server-side wallet serves as a temporary repository of the transaction data, prior to execution, but no permanent store of user's account data (or registration of accounts) is required.
Mobile Phone as Consumer Identifier
In these systems, the mobile phone may not be essential to the transaction. When used for virtual POS transactions (B2C purchasing on the internet) the mobile phone is “reduced” to the mobile's number which is in turn used to uniquely identify the consumer at the participating merchant's site. The remaining part of the transaction might continue without involving the mobile phone, or a callback to the user's mobile phone might be required, followed by the user entering some form of confirmation, such as PIN.
Mobile Phone for Physical POS
The mobile phone is used partially as a consumer identifier but is essential to the execution of the transaction at a physical POS. Although implementations differ in their workflows, the mobile phone's owner will receive a transaction (some times sent as a SMS) for a physical POS transaction initiated by the merchant, which the consumer will have to authorize by entering a PIN that authorizes processing of the payment at a server-side wallet account. Confirmations (in the form of SMS messages) are sent to both mobile phone and merchant. In these systems, the initialization of the transaction is not automated but it requires the physical exchange of some account identification (e.g., phone number or some other unique ID) between merchant and consumer and keying this ID into the POS or mobile phone, along with other transaction-related information. This category can also be thought of as a sub-class of single chip mobile phone systems.
Mobile-Phone Shopping with Direct Merchant-Mobile Phone Interaction
Systems discussed above rely on the mobile phone to carry the transaction between customer and merchant, coupled with a physical interaction (at physical POS) between merchant and consumer that exchanges an identifier (and/or associated data) that initialize the transaction. Both the merchant and the consumer use the mobile network to submit (separately) the transaction data to the carrier-operated back-end system that confirms the transaction but there is no direct electronic interaction between POS and consumer. Systems of this category on the other hand, utilize a short-range radio transport, usually wireless, so that the mobile phone can also direct connect to the merchant when the user is at the merchant's location. Such systems usually use a mobile phone equipped with Bluetooth. The transaction itself is still carried by the mobile phone network, but the Bluetooth link is used to transmit the merchant's identification code to the mobile phone, or for the mobile phone to transmit the payment receipt to the merchant.
There is another type of system that uses Bluetooth to directly interact with the POS. This is the work of the Mobile Electronic Transactions (mobiletransaction.org) consortium, whose primary members are mobile phone manufacturers. These are dual chip mobile phones with a SIM and a WIM. The WIM can be implemented in software instead of being a separate chip (e.g. a smartcard). The WIM is the (tamper-proof) certificate store and the module that is responsible for the security/transaction-related functions of the mobile phone. Bluetooth is used for a direct link with the physical POS. The phone can also be used over the GSM network for transactions on any web-accessible site. Bluetooth is used for discovery (of the POS) and for the wireless link. The WAP stack of protocols is used (WAP, WTLS, etc.) for the interaction between client (mobile) and server. Beyond that point all the workflows, security and transactions rely on using certificates. A certificate (assuming the existence of a Public Key Infrastructure, or PKI) is associated with a particular/specific banking account owned by the user; a user can have multiple certificates, each associated with a different account. Every time that the user accepts a payment, essentially she uses the certificate as a digital signature for signing the “payment contract” sent by the merchant from the physical POS that she connect to in the store. The Merchant sends that message to the acquirer, who will decrypt (with the help of the certificate authority) and then approve the payment (if all is well) and notify the merchant. The user can receive wirelessly new certificates for new accounts and at the end the user is responsible for managing the (on-the-mobile) database of certificates and the associated certification authorities. In turn the user has to understand and manage these certificates, a PKI has to be in place (including revocation of certificates for defunct accounts) and the user might need separate passwords or PIN's to unlock the certificates and or sign payment contracts with them.
The present invention overcomes the above-mentioned, and other, problems associated with the related art.